COMPUTER SYSTEMS LABORATORY BULLETIN
Advising users on computer systems technology
February 1992
ESTABLISHING A COMPUTER SECURITY INCIDENT RESPONSE CAPABILITY
Introduction
Computer systems and the information they store are valuable
resources that need to be protected. Increasingly sophisti-
cated threats including system and network intruders,
computer viruses, and network worms can exploit a variety of
weaknesses in computer systems and cause significant damage.
Due to increased use of local area networks (LANs) and large
networks such as the Internet, damage caused by seemingly
isolated computer security incidents can spread to other
systems, causing widespread denial of service and other
losses.
Government agencies, business, and academic institutions need
to take steps to understand the increased threats now
affecting computer systems and to learn how to respond to
computer security incidents with the requisite speed and
skill. This bulletin recommends the use of a Computer
Security Incident Response Capability (CSIRC) as part of a
computer security program so that incidents can be contained
and ultimately prevented in a timely and cost-effective
manner.
A Changing Threat Scenario
Prior to the mid 1980s, the predominate threats to computer
security (besides errors and omissions) were physical and
environmental, including insider attacks, fire and water
damage, theft, and physical damage. The threats are largely
understood and controllable through the use of traditional
controls and contingency planning. Now, a new class of
software-based threats has become as important to understand
and control; these threats include unauthorized intruders and
users who exploit system vulnerabilities, computer viruses,
network worms, and Trojan horses. Several factors have
contributed to the growing presence of these threats.
Reliance on Computers - Many agencies rely on computers and
networks for communications and accomplishment of work; con-
versely, many agencies would suffer great losses to produc-
tivity should their systems become unavailable. Due to
system complexity, reliance on computer systems often pres-
ents unanticipated risks and vulnerabilities.
Computer Viruses - Computer viruses in particular have caused
a major upheaval in personal computer security. Some virus
researchers believe that the virus problem is getting worse,
due in part to the proliferation of personal computers (with
minimal built-in security controls), LANs, and a disregard
for safe computing practices. The number of variants of
viruses has also increased, pushing the total number of
viruses close to one thousand or more. Some researchers
estimate that the probability of a personal computer user
encountering a virus has increased substantially.
Use of Large Networks - Large networks, linking governments,
businesses, and academia, are growing by leaps and bounds.
Efficient response to computer security incidents is very
important for agencies positioned on large networks, as com-
promise of one computer can affect a significant number of
other systems connected to the network but located in differ-
ent organizations, with resultant legal and financial
ramifications. Incident response teams note that intruder
attempts to penetrate systems occur daily at numerous sites
throughout the United States, and that many agencies are
often unaware that their systems have been penetrated or used
as springboards for attacks on other systems.
How Bad is the Problem? - Computer security incidents appear
regularly in media reports. In 1988, the Internet Worm
caused shutdowns and denial of service problems for weeks to
over 3000 sites. In 1989, the NASA WANK (Worms Against Nu-
clear Killers) Worm caused a major loss of availability along
two large government networks, resulting in significant
expense and investigations by the GAO into network manage-
ment and security. Other incidents include intruders using
international networks to target to U.S. government systems.
There are also reports of virus-infected software being
shipped by vendors and distributors, and reports of viruses
on LAN servers that spread throughout entire organizations in
minutes. While publicized incidents tell us that the com-
puter security picture is not good, most computer security
incidents are never reported.
The CSIRC Concept
Many computer security programs are not effective in dealing
with this newer and less-understood class of threats.
Traditional responses, such as risk analysis, contingency
planning, and computer security reviews, have not been
sufficient in controlling incidents and preventing signifi-
cant damage. Stories abound of incidents in which the prob-
lems grow worse or do not go away. Fearing unknown threats,
some have misguidedly restricted their access to systems and
networks. Consequently, some organizations spend far too
much time reacting to recurring incidents at costs to conve-
nience and productivity. What is needed, therefore, is a
fundamentally different form of computer security response
that is capable of quickly detecting and responding to inci-
dents in a manner that is both cost-efficient and effective.
A Computer Security Incident Response Capability (CSIRC) is
prepared to detect and react to computer security incidents
in a skilled and efficient manner. A CSIRC is a combination
of technically skilled people, policies, and techniques that
constitute a proactive approach to handling computer security
incidents. A CSIRC, with traditional computer security
elements, can provide organization-wide protection from
damaging incidents, saving the organization valuable resourc-
es and permitting it to take better advantage of computer
technology. Already, a number of agencies and other
institutions have started CSIRC efforts, with good success.
Skilled and Efficient Response - Skill and efficiency are the
hallmarks of a CSIRC. Without a CSIRC, incident response can
be disorganized and ineffective, with much higher expenses
and vulnerabilities still left open and unprotected. For
example, uneducated responses to small outbreaks of computer
viruses can actually make the problems far worse, resulting
in hundreds of computers being infected by the response team
itself. A CSIRC will help to manage incident response
expenses that otherwise would be difficult to track, to make
risk assessment more accurate, and to improve user training
and awareness of computer security. Conversely, an
inefficient incident response effort could perpetuate exist-
ing problems and even make them worse.
Centralization and Non-Duplication of Effort - A CSIRC
utilizes centralized means for reporting and handling inci-
dents. This increases efficiency; however, it also permits
more accurate assessment of incidents, such as whether they
are related (to more quickly avert possible widespread
damage). By virtue of centralization, CSIRC expenses and
overhead can be held down and duplication of effort can be
reduced or possibly eliminated. Agencies may find that a
significant cost savings can result.
Enhanced User Awareness of Threats - The benefits of a CSIRC
include enhanced user awareness of threats and knowledge of
appropriate controls. A CSIRC will identify vulnerabilities,
issue computer security alerts, and make contacts with other
computer security groups, all resulting in increased
information that can be made available to the organization
through a variety of mechanisms: electronic bulletin boards,
networks, seminars, and training workshops. This information
will greatly improve users' ability to manage their systems
efficiently and securely.
Building a CSIRC
Many computer security programs will not need to build a
CSIRC "from the ground up." Rather, they may already have a
number of the building blocks necessary, such as help desks,
central hotlines, and personnel with the requisite technical
skills.
Constituency - Implicit in the concept of a CSIRC is the
requirement for a constituency, i.e., those users served by
the CSIRC. In many cases, the constituency will be the
organization itself. The size and scope of a CSIRC, however,
are directly impacted by the needs and size of the constitu-
ency, including its degree of technical knowledge, the
diversity of technologies, and the sensitivity of the systems
and data.
CSIRC Structure - There is no "one" structure for a CSIRC;
depending on an agency's needs and structure, a CSIRC can
take many forms. A highly centralized CSIRC may represent
the most cost-effective structure; however, some agencies may
find that a more distributed structure, with some inevitable
overlap, will fit in best with existing agency structures.
Very small agencies and organizations may find it practical
to share a CSIRC with a larger organization. Hence, a CSIRC
structure will vary depending on many factors. Centralized
reporting and centralization of effort will help to decrease
operating costs and at the same time improve efficiency and
security.
Centralized Reporting - Effective incident response depends
upon the constituency's ability to quickly and conveniently
communicate with the CSIRC. Effective communications
mechanisms include a central telephone "hotline" monitored on
a 24-hour basis, a central electronic-mail (e-mail) address,
or a pager arrangement. Users should be encouraged to
contact the CSIRC by making the communications
straightforward (i.e., having to remember only one telephone
number).
Alert Mechanisms - The constituency will be best served if
there is also a convenient mechanism for the CSIRC to alert
the constituency. The CSIRC should be able to quickly reach
all users by sending to a central mailing list or,
alternatively, telephone voice mailbox messages or management
points-of-contact lists.
Personnel - CSIRC personnel will need to diagnose or
understand technical problems, thus technical knowledge is a
primary qualification. Good communications skills are
equally important. Computer security incidents can foster
emotionally charged situations; hence a skilled communicator
must know how to resolve technical problems without fueling
emotions or adding complications. In addition, CSIRC
personnel may spend much of their time communicating with
affected users and managers, either directly or by preparing
alert information, bulletins, and other guidance. It may be
difficult to find personnel who have the correct mix of tech-
nical, communications, and political skills.
Contracting a CSIRC
When contracting, agencies should keep in mind that numerous
sensitive issues can arise from incident handling; these
issues will be very important to consider in any contractual
agreement. Because a CSIRC may play a large role in
determining computer security policy, agencies may find it
advantageous to contract certain tasks associated with a
CSIRC as opposed to contracting the entire CSIRC operation.
Agencies should expect that increased communications and
oversight will be necessary when contracting any part of a
CSIRC and that some incident response expertise will have to
be developed in-house for this purpose. The agency and
contractor will need to coordinate closely on many issues,
including dealings with the media, vendors, legal and
investigative matters, and dealings with outside groups
(especially if involved in a mutual incident). The sensi-
tivity of data or operations may require contractor person-
nel to get security clearances; handling classified informa-
tion by contractors may require increased oversight.
Importance of Traditional Computer Security
Functions
An incident response capability does not do away with the
need for effective risk analysis, physical security, and
other standard components of a computer security program.
Simple errors and omissions may still remain the primary
threat to computer security, along with other physical and
environmental threats; they should not be ignored or
downplayed in light of the attention often given to viruses
and related threats. A strong risk analysis program remains
highly important for identifying the complete set of threats,
vulnerabilities, and controls; the logs and statistics
gathered by a CSIRC will help to make subsequent risk
analyses more precise and useful. Computer security reviews
are still a preferred method for improving the security
program, of which a CSIRC is just one component.
Cooperation Among CSIRCs
System intruders, viruses, and similar threats do not respect
organizational boundaries. It follows, then, that
cooperation among CSIRCs can be valuable for learning about
current threats, sharing incident response-related
information, and resolving incidents. Additionally,
cooperating CSIRCs may be able to assist each other in
situations where one CSIRC possesses certain technical skills
that another CSIRC lacks.
The Forum of Incident Response and Security Teams - The Forum
of Incident Response and Security Teams (FIRST) is a group of
incident response teams whose members work together
voluntarily to deal with computer security problems and their
prevention. The objective of FIRST is to further
communications among CSIRCs and to foster increased
participation in incident response-related activities.
There are two types of participation in the forum. Forum
Members, i.e., incident response teams, assist a defined
constituency in preventing and handling computer security-
related incidents. Liaisons are individuals or
representatives of organizations other than emergency
response teams that have a legitimate interest in and value
to the forum. Several U.S. agencies participate, as well as
industry and academia.
NIST Special Publication 800-3
NIST Special Publication (SP) 800-3, Establishing a Computer
Security Incident Response Capability (CSIRC), provides more
information on issues in establishing and operating a CSIRC,
including an annotated bibliography of incident response-
related documents. This guide can be obtained from the
Government Printing Office (GPO), Washington, DC 20402, GPO
Stock Number SN003-003-03121-6, for $3.00.
An electronic version of SP 800-3 in PostScript format can be
obtained from our Computer Security BBS or via the Internet
using ftp or e-mail. Information about FIRST is also
available, including membership information, operational
procedures, and incident response team contact information.
To contact the BBS, dial 301-948-5717 for 2400 BPS (301-948-
5140 for 9600 BPS). The filename for SP 800-3 is 800-3.ps -
several files are also available concerning FIRST. The ftp
address is csrc.nist.gov, with filename pub/pubs/800-3.ps and
the files in directory pub/first. To obtain the files, send
the following e-mail message to docserver@csrc.nist.gov:
send INDEX
send 800-3.ps
An index of available files plus a copy of SP 800-3 will be
sent to you in e-mail messages.
For more information about NIST's ongoing work in incident
response activities, contact John Wack, Computer Security
Division, Room A-216, Technology Building, National Institute
of Standards and Technology, Gaithersburg, MD 20899.
Telephone: 301-975-3411 (FTS 879-3411); e-mail:
csrc@csrc.nist.gov.